will
be held August 27-31 at the Marriott
Wardman hotel in Washington, DC.

Correction to Comments on TSOAUTH Class

Last issue under the Fifteen Minute Project, we misstated the purpose of the
rule named RECOVER in the TSOAUTH resource class. Alert reader Russell West
was kind enough to point out that this rule represents the ability to do a TSO
recovery, that is the ability to salvage a user's TSO address space, for
example when your terminal gets disconnected and you want to reconnect.
Thanks Russell.

How Do I "Hard-Revoke" a Userid When I Don't Have Third Party Software?

If you don't want the risk of a fired employee's userid being resumed
inadvertantly, if you have a third party product like Beta-88, Vanguard,
CONSUL, or RA-2, you can hard-revoke the userid. If you don't, here are some
suggestions:

Revoke the userid; mark it RESTRICTED.

Mark it protected, that is NOPASSWORD and NOOIDCARD. This is better than
changing the password, since resuming the userid still won't let people log on to it with a
password.

Give the userid the AUDITOR attribute. If your Help Desk has permission to resume
userids only from a FACILITY class rule, they can't resume userids with AUDITOR, (nor
SPECIAL nor OPERATIONS).

Delete all his segments (for example, to cut him out of TSO)

Have a holding group of terminated userids. Connect him to it. Make it his default
group. Remove him from all other groups. Enforce the rule that you never give
permission to userids, only to groups.

Why Would I Use the FACILITY Class Rules Named IEAABD.DUMPAUTH and
IEAABD.DMPAUTH?

As we start to make greater use of encryption, we will need to be
absolutely certain that no one can learn the encryption keys, especially the
keys used to prove the identity of our server, and to support SSL over the
Internet. These FACILITY class rules control the ability to get dumps of
memory containing controlled programs and memory for address spaces which
contain tasks executing with protect keys lower than 8. You will also want to
use dataset rules named SYS1.DUMP%% with a UACC of NONE. See the IBM manual:
RACF Security Administrators Guide.

So What Should I Expect When We Convert from OS/390 to z/OS?

Q: Will they have to break down the wall of the data center to bring in the new hardware?

A: No, it runs in the same boxes as before.

Q: Will they then have to put in new circuit boards in the CPU box?

A: No, they just put in new microcode. This is the logic which tells
the circuit boards how to execute individual instructions (that is,
instructions at the level of LOAD REGISTER and MOVE CHARACTERS).

Q: Is my vast knowledge of JCL, RACF, MVS, and CICS now obsolete?

A: No, these all stay the same. New features may introduce new
operands, but it won't be more difficult than the upgrade to OS/390.

Q: So, what's the big deal with z/OS?

A: It gives you more power, more up-time, more flexibility,5 and greater
ability to connect over networks. (Did we mention that RACF already gives us
great security over USS, TCP/IP, and the Websphere web server?) It also give
us 64-bit addressing, which means that the highest number we can address in
memory is much, much bigger than before. z/OS still supports 31-bit and 24-
bit addressing; it just gives us the option of 64-bit addressing too.

Q: When the name z/OS comes as the first word in a sentence, should we
make the z be upper case or lower case?

A: IBM is aware of this problem and has their very best people working
on it.

Q: I'm an Assembler Language Programmer, so what does this mean to me?
Many control blocks will have changed formats to accommodate 64-bit
addressing. However, this should cause no problem for anyone, since
we have all stopped using programs which rely on the layout of control blocks
which IBM says are not part of the standard programming interface. We all
learned our lesson when we converted to MVS/XA (which is when we first were
able to use 31-bit addressing).

Note that the PSW (Program Status Word) can now be 16 bytes long
instead of 8, and the reserved addresses in low memory now can take 8K instead
of 4K. Previous Assembler Language instructions work the same, but some have
additional versions to support 64-bit addressing (often marked by adding a G
to the instruction name). For example, we have always used the A instruction
to add a fullword to a register, and AH to add a half-word (two bytes) to a
register. With 64-bit addressing, we now have the instruction AG to add two
words (64-bits) to a register. Registers are now 64 bits wide. However, they
look the same, since we ignore the leftmost 32 bits except when we are in 64-
bit mode. This means that the right-most 32 bits of each register are used
anytime we are in 24 or 31-bit addressing mode, just as if it were a regular
old 32 bit register.

Interesting Products

We haven't evaluated these, but believe that every RACFer should know
of them.

ASPG announces SMFUTIL a new utility to automate SMF dumping and insure SMF
integrity. Call (800) 662-6090 for more info.

Fifteen Minute Project to Improve Your RACF

Review your SETROPTS options for datasets. The following are considered by many
knowledgeable people to be essential for effective security:

PROTECTALL (requires every dataset to be defined to RACF)

TAPEDSN (provides protection for tape datasets, as well as disk datasets, based on
dsname, using the same DATASET rules used for disk datasets)

Rule named ICHBLP in the FACILITY class to control use of Bypass Label Processing.
(Anyone who can BLP can bypass RACF protection for all tape datasets.) (Requires
TAPEVOL class to be active also.) This rule of course doesn't show in the SETR LIST, so
you need to issue RL FACILITY ICHBLP ALL.

Erase-On-Scratch ensures that data in disk datasets is obliterated when the dataset is
deleted. Otherwise the data can be read by whoever happens next to allocate the same
cylinders of the disk pack. (Common practice is to activate this option only for selected
datasets. Please note that the performance problems once associated with this feature are
all but gone, due to hardware improvements.)

(Useful, but perhaps not essential) SETR PREFIX to set a prefix to be used as the high
level qualifier for dsnames which have only one qualifier (for example,
DSNAME=GEORGE)

To read the output of the SETR LIST command, (whose format is almost
impossible to read), consider breaking it into five parts (in your head, of
course). The first part is the first line. The second part is all the
information about resource classes, which goes on for several pages. The third
part describes dataset and user options (including PROTECTALL and others
listed above). The fourth section describes password options, and the fifth
(last) section is miscellaneous stuff that doesn't fit anywhere else. Start
by marking the output into five sections, then look just at the third section
for the items listed above.

Note that the way options are described in SETR LIST output often
uses completely different words from the words you use in setting the options.
For example, SETR TAPEDSN results in a listing describing TAPE DATASET
PROTECTION IS ACTIVE. Other discrepancies are so egregious that we can't
print them in a family publication. Just laugh when you see them, and think
"IBM can't fool me."

Our next meeting will be hosted by Vanguard Integrity Professionals,
which is also providing members with a free, pre-meeting lunch and product
demonstration. Vanguard's product presentation precedes and is completely
separate from our regular meeting. The product presentation will describe
QS/390 and other VIP products. Our speaker will be: Phil Emrich of Vanguard
on "RACF Security for MQ Series on OS/390". As always, we will have a
question and answer session with some of the keenest RACF minds in the State
to answer questions.

Time: Tuesday, April 3, 2001. The lunch and product presentation will begin at noon. The regular
meeting starts at 1PM until it's too late to go back to the office.

Place: The Holiday Inn at 440 West 57th Street in Manhattan, phone (212) 581-8100. Lunch is in
the restaurant, the meeting is in the Renaissance A room.

==============================================================

BWRUG (Baltimore/Washington RUG):

Our next meeting will be hosted by Vanguard Integrity Professionals,
which is also providing members with a free, pre-meeting lunch and product
demonstration. Vanguard's product presentation preceeds and is completely
separate from our regular meeting. The product presentation will describe
QS/390 and other VIP products. At the regular meeting, our speaker will be:
Phil Emrich of VIP on RACF and CICS. Phil will describe the new security
facilities recently added to CICS Transaction Server for OS/390. He will also
explain Security for CICS and the Web. As always, we will have a question and
answer session with some of the keenest RACF minds in the Capital area to
answer questions

Time: Monday, April 2, 2001. The regular meeting will be from 1PM to 5PM, and the free lunch
and product demo will be from noon to 1PM.

Place: Marriott Residence Inn at 7335 Wisconsin Ave in
Bethesda, MD, phone (301) 718-0200. This is at the Bethesda stop of the RED
LINE of the Metro (which goes quickly to Union Station for MARC and Amtrak
riders). By car: Take the beltway I495 to Exit 34 (Wisconsin Ave.) This is
NW of DC, near where I270 joins I495. Take Wisconsin Ave South (aka Route 355
South) about 2.5 miles. Watch for the Hyatt/Bethesda Metro on the right.
Just past the Hyatt, take the next left onto Montgomery Avenue. Go one block
and take the first right onto Waverly Avenue. Waverly wraps around to the
front of the hotel where there is valet parking.

==============================================================

What Comes After Kilobyte and Megabyte?

Since z/OS has 64 bit addressing, we need to learn some new words for
big big amounts of memory. Here they are:

Megabyte equals a little over a million bytes (2 raised to the 20th power)

Gigabyte equals a little over a trillion bytes (2 raised to the 30th power)

Terabyte equals a little over a million, million bytes (2 raised to the 40th power)

Petabyte equals a little over a trillion, million bytes (2 raised to the 50th power)

Exabyte equals a little over a trillion, trillion bytes (2 raised to the 60th power)

====> Note that 2 raised to the 64th power is 16E, that is 16 exabytes.

Permanently Interesting Products Column

We have not evaluated these, but think every RACF shop should know about them.

The Security Bridge from Security Integration provides a patented method
for linking RACF to legacy application security. For more info, call (800)
888-5031, or see
www.securityintegration.com.

RACF Password Cracker Program, no longer free, but with more features than
the free version (see related article earlier in this issue). Email Peter
Goldis at pgoldis@world.std.com or look at
www.goldisconsulting.com

SecurePass from Proginet to link RACF with Windows NT security. Call (516)
248-3366 for more info. OR http://www.proginet.com

HG RACF and Security Training Schedule:

The Henderson Group offers its RACF and computer security/audit seminars around the
country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog.
To see what students say about these classes, please go to
www.stuhenderson.com .
1) HG04 Effective RACF Administration ($1795)
May 7-11, 2001 in Atlanta, GA
Sept.10-14, 2001 in New York City
Nov. 5-9, 2001 in Clearwater, FL
2) HG05 Advanced RACF Administration ($1185)
Mar. 28-30, 2001 in Clearwater, FL
Oct. 17-19, 2001 in Atlanta, GA
3) HG17 How to Be an Effective OS/390 (MVS) Data Security Officer) (covers CICS,
VTAM, DB2, JES, and other security along with MVS security, SAF, and OS/390)
($1190)
May 16-18, 2001 in Atlanta, GA
Sept. 5-7, 2001 in New York City
4) HG40 Mastering Windows 2000 (NT) Security (Windows 2000 is the new name for
Windows NT Release 5, or NT5; this class covers NT4 security as well as Windows
2000 security) ($1195)
Apl. 25-27, 2001 in Bethesda, MD (near Washington, DC)
Sept. 19-21, 2001 in New York City

For Back Issues of this newsletter and Links to Several Useful Web
Sites: check the Henderson Group website at
the Henderson Group: www.stuhenderson.com

RACF List Server on the Internet

To join, send E-mail to the administrator for the
server. (Don't send it to the server itself or your request
will be routed to every subscriber.) For example, if your
name is John Smith and you want to subscribe, then
send this E-mail:

subscribe racf-l john smith

to the address: listserv@listserv.uga.edu

The reply will include directions on how to get
info such as a list of all subscribers, an index to previous
comments, and a command summary.

The RACF User News is published three times a year
(December, March, and September) to share information
about RACF. All information in it is offered on an "as is"
basis, and should be used at your own risk, and with
your own testing.

For Back Issues of this Newsletter and Links to Several
Useful Web Sites
check the Henderson Group website at:
www.stuhenderson.com